Closed Bug 666516 Opened 11 years ago Closed 11 years ago

overriding ";1" causes a crash in the certManager.xul


(Core :: Security: PSM, defect, P1)




Tracking Status
firefox8 --- fixed


(Reporter: passfree, Assigned: bzbarsky)


(Whiteboard: [qa?])


(1 file)

User-Agent:       Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_7) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.797.0 Safari/535.1
Build Identifier: xulrunner (all versions)

This is an old bug and it was reported like 2 years ago. I thought it was fixed but that is not the case in xul2.0 and perhaps even xul5.0

In summary, if we override;1 via the following chrome manifest

component      {6c367300-5a77-11df-a08a-0800200c9a61}                    components/CertOverrideService.js
contract;1                      {6c367300-5a77-11df-a08a-0800200c9a61}

A crash will occur within certManager.xul when the following line is invoked 

serverTreeView.loadCertsFromCache(certcache, nsIX509Cert.SERVER_CERT);

As far as I remember the issue was somehow related to the way the XPCOM instance was handled in the C code (old code conventions?).

This service;1 is actually overridden by several popular extensions and products such as Selenium. A legitimate reason for overriding it is to hide bad ssl certificate problems.

Reproducible: Always

Steps to Reproduce:
See above.

Actual Results:  
The app crashes when certManager.xul is opened.

Expected Results:  
It should not crash.
You mean bug 564584 which is marked fixed
Component: XPConnect → Security: UI
QA Contact: xpconnect → ui
Unfortunately, not fixed.
If you're getting a crash here, what's the stack look like?  Is there a breakpad incident id?
Actually, nevermind.  nsCertTree::GetCertsByTypeFromCertList has exactly the sort of code that was causing crashes in bug 564584, and the thing it's working with was gotten by contract id...  <sigh>.
Severity: major → critical
Ever confirmed: true
Component: Security: UI → Security: PSM
QA Contact: ui → psm
I can confirm that Xulrunner 6.0, FF6 still crash.
Attached patch FixSplinter Review
This is ridiculous.  This code should never have been written....
Attachment #555170 - Flags: review?(kaie)
Assignee: nobody → bzbarsky
Priority: -- → P1
Comment on attachment 555170 [details] [diff] [review]

Yes, I agree this code wasn't written as future-proof as it should had.

And yes, we need more people caring for PSM and helping out with it, in particular with writing/reviewing patches and fixing correctness issues.

Thanks a lot for your fix, I appreciate it.

Attachment #555170 - Flags: review?(kaie) → review+
Whiteboard: [need landing]
Flags: in-testsuite?
Whiteboard: [need landing]
Target Milestone: --- → mozilla9
Comment on attachment 555170 [details] [diff] [review]

Given that this is causing extension crashes, we should at least consider it for aurora.
Attachment #555170 - Flags: approval-mozilla-aurora?
Comment on attachment 555170 [details] [diff] [review]

Approved, please land on Aurora (Firefox Update 8.)
Attachment #555170 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Closed: 11 years ago
Resolution: --- → FIXED
Can QA get some help verifying this bug fix? Either passfree, if you can verify this on Firefox 8 Aurora, or if you can provide some more details on how to use the testcase you provided. It's not completely clear to QA how to utilize your testcase.

Whiteboard: [qa?]
I have verified that it works in 8. Though, I am not completely sure if this bug has been fully fixed everywhere.
You need to log in before you can comment on or make changes to this bug.